There is no Action mapped for namespace / and action name login<script>alert(document.cookie)</script>.

NOTE: Without proper output escaping for the invoked action (which is controlled by the user), the injected malicious scripting code is executed by the browser (the HTTP response's content-type header is set to text/html).

NOTE: Without proper output escaping for the invoked method (which is controlled by the user), the injected scripting code will be executed by the browser (the HTTP response's content-type header is set to text/html).

This allows successful reflected XSS attacks using <s:submit> tag.

UPDATED (2011-05-18): The returned error also exposes internal paths for the Java class implementing the action for which we manipulate the method to be called (LoginAction in this case). This issue is documented by MVSA-11-007security advisory.

WebWork framework seems to be vulnerable to similar attacks. However, since the project is not actively maintained (being replaced by Apache Struts 2), there might be an option to look into building the project from source and to include similar fixes to those suggested for XWork com.opensymphony.xwork2.DefaultActionProxy class patched in Struts 2.2.3 (details available at https://issues.apache.org/jira/browse/WW-3579).